Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I am writing a subsearch to get a user details as input for someother search but it is not working when i include the subsearch . need help asap

arunsundarm
Engager
‎05-13-2019 01:28 AM

index=* [search index=_internal [| rest /services/authentication/current-context splunk_server=local | fields username | rename username as user ] |top user limit=1 | fields user ]

Tags (1)
0 Karma
Reply

arunsundarm
Engager
‎05-13-2019 01:29 AM

"index=* [search index=_internal [| rest /services/authentication/current-context splunk_server=local | fields username | rename username as user ] |top user limit=1 | fields user ] "

0 Karma
Reply

maciep
Champion
‎05-13-2019 08:41 AM

do you have non-internal indexes with a field named called user that would match the username of the user running this? the subsearch seems to work for me when I just look at internal logs.

0 Karma
Reply

Sukisen1981
Champion
‎05-13-2019 09:34 AM

Bit difficult to understand your requirement, but if you try this , is the first part of your need achieved?
index=_internal | join user type=inner
[| rest /services/authentication/current-context splunk_server=local | fields username | rename username as user |top user limit=1
| fields user]

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...